masslogger | 60133d3766356f4132b983d2e34998d0bd6395aa9b79b38e8deef3512412ac51

General

Target

LUSA TEX ORDER 07282020 .exe
Size

1.3MB
MD5

cbd2e0a042f3734b1b72543b3a55bd99
SHA1

e6b6ffe43795d6a4c6b3c60e1dbfe6b2d29333c6
SHA256

044c48fe42178958d8f55e5404e056ff0f1071d865deda9cc42518ab2c87fda7
SHA512

17a7f971ec908a19d0a0c8b9611caf7b0b3148a84723b3cf4d25d0a65b1a45341998a51286ad1dee31c9183010171311d4dd8c53ec603bfba61e37caedd8d10c

Score

10^/10

masslogger collection ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\0F48153F20\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 10 Pro 64bit Windows Serial Key: W269N-WFGWX-YVC9B-4J6C9-T83GX CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 11:45:58 AM MassLogger Started: 5/21/2022 11:45:54 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> NA

Extracted

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
wintom@wls-com.me
Password:
MORELOVE123

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.

Processes:

yara_rule

masslogger_log_file

yara_rule
masslogger_log_file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LUSA TEX ORDER 07282020 .exeLUSA TEX ORDER 07282020 .exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	LUSA TEX ORDER 07282020 .exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	LUSA TEX ORDER 07282020 .exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

Processes:

LUSA TEX ORDER 07282020 .exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	LUSA TEX ORDER 07282020 .exe
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

LUSA TEX ORDER 07282020 .exe

description pid process target process

PID 4120 set thread context of 64 4120 LUSA TEX ORDER 07282020 .exe LUSA TEX ORDER 07282020 .exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4808 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

LUSA TEX ORDER 07282020 .exe

pid process

64 LUSA TEX ORDER 07282020 .exe

flow	ioc
41	api.ipify.org

description	pid	process	target process
PID 4120 set thread context of 64	4120	LUSA TEX ORDER 07282020 .exe	LUSA TEX ORDER 07282020 .exe

pid	process
4808	schtasks.exe

pid	process
64	LUSA TEX ORDER 07282020 .exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

LUSA TEX ORDER 07282020 .exeLUSA TEX ORDER 07282020 .exe

pid	process
4120	LUSA TEX ORDER 07282020 .exe
4120	LUSA TEX ORDER 07282020 .exe
4120	LUSA TEX ORDER 07282020 .exe
64	LUSA TEX ORDER 07282020 .exe
64	LUSA TEX ORDER 07282020 .exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

LUSA TEX ORDER 07282020 .exeLUSA TEX ORDER 07282020 .exe

description pid process

Token: SeDebugPrivilege 4120 LUSA TEX ORDER 07282020 .exe
Token: SeDebugPrivilege 64 LUSA TEX ORDER 07282020 .exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LUSA TEX ORDER 07282020 .exe

pid process

64 LUSA TEX ORDER 07282020 .exe

description	pid	process
Token: SeDebugPrivilege	4120	LUSA TEX ORDER 07282020 .exe
Token: SeDebugPrivilege	64	LUSA TEX ORDER 07282020 .exe

pid	process
64	LUSA TEX ORDER 07282020 .exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

LUSA TEX ORDER 07282020 .exe

description	pid	process	target process
PID 4120 wrote to memory of 4808	4120	LUSA TEX ORDER 07282020 .exe	schtasks.exe
PID 4120 wrote to memory of 4808	4120	LUSA TEX ORDER 07282020 .exe	schtasks.exe
PID 4120 wrote to memory of 4808	4120	LUSA TEX ORDER 07282020 .exe	schtasks.exe
PID 4120 wrote to memory of 64	4120	LUSA TEX ORDER 07282020 .exe	LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64	4120	LUSA TEX ORDER 07282020 .exe	LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64	4120	LUSA TEX ORDER 07282020 .exe	LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64	4120	LUSA TEX ORDER 07282020 .exe	LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64	4120	LUSA TEX ORDER 07282020 .exe	LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64	4120	LUSA TEX ORDER 07282020 .exe	LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64	4120	LUSA TEX ORDER 07282020 .exe	LUSA TEX ORDER 07282020 .exe
PID 4120 wrote to memory of 64	4120	LUSA TEX ORDER 07282020 .exe	LUSA TEX ORDER 07282020 .exe

outlook_office_path 1 IoCs

Processes:

LUSA TEX ORDER 07282020 .exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe

outlook_win_path 1 IoCs

Processes:

LUSA TEX ORDER 07282020 .exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	LUSA TEX ORDER 07282020 .exe

C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
"C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD0BD.tmp"
2⤵
- Creates scheduled task(s)
PID:4808

C:\Users\Admin\AppData\Local\Temp\LUSA TEX ORDER 07282020 .exe
"{path}"
2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LUSA TEX ORDER 07282020 .exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD0BD.tmp
Filesize
1KB

MD5
ab9f8a9574d9209cd8666decb37e33cc

SHA1
b768b98d37b96bcf5eeeb4bae10589a196b66db2

SHA256
2c052172f943620c36053efd2ab1d6ef9fbb671c55669b9f49430f0f7acd7704

SHA512
5059538580cce17a2c7516e3117297310455e38ff32d51c6e17ef188448ce3567f9c968ad478df725ed2ce8630ceee2340246264a6e60877895591a67d45da70

Download Submit
memory/64-137-0x0000000000000000-mapping.dmp

Download
memory/64-138-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/64-140-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/64-141-0x0000000008380000-0x00000000083D0000-memory.dmp

Filesize
320KB

Download
memory/4120-130-0x0000000000760000-0x00000000008B6000-memory.dmp

Filesize
1.3MB

Download
memory/4120-131-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/4120-132-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/4120-133-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/4120-134-0x0000000008C70000-0x0000000008D0C000-memory.dmp

Filesize
624KB

Download
memory/4808-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads